Bug 193935 - Failure attempting to create trace file when running as non-root
Summary: Failure attempting to create trace file when running as non-root
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: tog-pegasus
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Jason Vas Dias
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2006-06-03 01:10 UTC by Denise Eckstein
Modified: 2007-11-30 22:07 UTC (History)
0 users

Clone Of:
Last Closed: 2006-11-22 17:17:48 UTC

Attachments (Terms of Use)

Description Denise Eckstein 2006-06-03 01:10:38 UTC
Description of problem:

The "traceLevel" and "traceComponents" cimconfig options control tracing for 
both the cimserver and cimprovagt processes.

A Provider Agent Process writes its trace output to a file, in 
the /var/lib/Pegasus/cache/trace directory, whose name contains the associated 
provider module name. To ensure uniqueness (and avoid collisions in writing to 
the trace files), a user name is also appended to the trace file name. For 
example, the Provider Agent Process for the OperatingSystemModule in the 
context of user "A" writes to the trace 
file "cimserver.trc.OperatingSystemModule.A".

By default, only root has access to 
the /var/lib/Pegasus, /var/lib/Pegasus/cache/ and /var/lib/Pegasus/cache/trace 

# chmod 777 Pegasus
# chmod 777 Pegasus/cache
# chmod 777 Pegasus/cache/trace

Note: Permissions on trace files allow read and write access to only the 
owner. E.g.,

-rw------- 1 root root 66550 May 6 15:03 cimserver.trc
-rw------- 1 guest pegasus 6921 May 6 15:03 
-rw------- 1 root root 866 May 6 15:03 cimserver.trc.OperatingSystemModule.root

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure OS Provider to Run-As-Requestor
2. Enable tracing
   2A. # cimconfig -s traceLevel=4
   2B. # cimconfig -s traceComponents=ALL
Actual results:

Expected results:

Additional info:

Comment 1 Jason Vas Dias 2006-06-05 18:39:00 UTC
OK, the next version will enable mode 0770 for /var/lib/Pegasus/cache/trace .
I don't think users not in the pegasus group need write / seach access to
/var/lib/Pegasus/cache/trace - users must be in the pegasus group in order
to connect to the cimserver, so I think mode 0770 should be sufficient, not 0777.
I do not think we want to enable mode 0770 for /var/lib/Pegasus/cache, else
any user could delete the /var/lib/Pegasus/cache/localauth directory, thus
disabling local authentication.

Comment 2 Denise Eckstein 2006-06-05 21:25:58 UTC
Sounds good.  If the administrator configures OpenPegasus to allow access by 
non-pegasus group users, they'll also need to change permissions on these 
directories to ...

# chmod 755 Pegasus
# chmod 755 Pegasus/cache
# chmod 777 Pegasus/cache/trace

but we can document this.


Comment 4 Bill Nottingham 2006-11-22 17:17:48 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.